Improper Verification of Cryptographic Signature in Enigmail - CVE-2017-17847
Published: December 27, 2017 / Updated: July 17, 2020
Vulnerability identifier: #VU31379
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-17847
CWE-ID: CWE-347
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: enigmail.mozdev.org
Affected software:
Enigmail
Enigmail
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
An issue was discovered in Enigmail before 1.9.9. Signature spoofing is possible because the UI does not properly distinguish between an attachment signature, and a signature that applies to the entire containing message, aka TBE-01-021. This is demonstrated by an e-mail message with an attachment that is a signed e-mail message in message/rfc822 format.
How to mitigate CVE-2017-17847
Install update from vendor's website.
Sources
- https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf
- https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html
- https://lists.debian.org/debian-security-announce/2017/msg00333.html
- https://sourceforge.net/p/enigmail/bugs/709/
- https://www.debian.org/security/2017/dsa-4070
- https://www.mail-archive.com/enigmail-users@enigmail.net/msg04280.html